Expert Chat API

The Expert Chat endpoint is the primary interface to the Secberus agents. It accepts a conversation and streams back a grounded, GRC-focused response built by the orchestrator. Use it for compliance questions, cross-framework synthesis, document validation, and to trigger workflows via slash commands.

POST /v1/expert
Property Value
Auth authorization: YOUR_API_KEY (required)
Content-Type application/json
Response text/event-stream (Server-Sent Events)

Request Body

Field Type Required Description
messages array[ExpertMessage] Yes Full conversation history. The last message must have role user.
frameworks array[string] No Framework IDs to scope context retrieval. Detected automatically if omitted.
document_ids array[string] No Uploaded document IDs to include as context (from the Documents API).

ExpertMessage Object

Field Type Required Description
role string Yes user or assistant
content string Yes Message text

Conversation history is passed in full on every call — the endpoint is stateless. To continue a conversation, append the assistant's previous reply (as a assistant message) and the new user message, then resend the whole array.


Streaming Response

The endpoint responds with a 200 OK and an SSE stream of tokens as the agent generates them. Each event carries a chunk of the answer; concatenate them in order to reconstruct the full response.

POST /v1/expert  →  200 OK
Content-Type: text/event-stream

data: Your access-control policy
data:  satisfies PCI DSS v4 requirement
data:  8.3.6 (minimum password length)…

With curl, use -N to disable buffering and see tokens arrive live:

curl -N -X POST https://compliance.secberus.ai/v1/expert \
  -H "authorization: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "messages": [ { "role": "user", "content": "What does PCI DSS require for MFA?" } ] }'

Because the response is an event stream, set your HTTP client to read incrementally rather than waiting for a complete body. Most SSE and fetch-streaming libraries handle this for you.


Examples

Single question

curl -N -X POST https://compliance.secberus.ai/v1/expert \
  -H "authorization: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "messages": [
      { "role": "user", "content": "What MFA requirements must I satisfy under PCI DSS v4?" }
    ],
    "frameworks": ["pci_dss_v4"]
  }'

Cross-framework synthesis

Scope to two frameworks and the orchestrator will reconcile their requirements into a combined answer:

curl -N -X POST https://compliance.secberus.ai/v1/expert \
  -H "authorization: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "messages": [
      { "role": "user", "content": "What MFA requirements must a combined PCI DSS v4 and NIST 800-53 control satisfy?" }
    ],
    "frameworks": ["pci_dss_v4", "nist_800_53_r5"]
  }'

Validate an uploaded document

Reference a document from your corpus to have the agent check it against framework controls:

curl -N -X POST https://compliance.secberus.ai/v1/expert \
  -H "authorization: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "messages": [
      { "role": "user", "content": "Does my uploaded policy meet PCI DSS password requirements?" }
    ],
    "frameworks": ["pci_dss_v4"],
    "document_ids": ["doc_01h9z…"]
  }'

Multi-turn conversation

Resend the full history, including the assistant's prior turn:

curl -N -X POST https://compliance.secberus.ai/v1/expert \
  -H "authorization: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "messages": [
      { "role": "user", "content": "What does PCI DSS require for password length?" },
      { "role": "assistant", "content": "PCI DSS v4 requirement 8.3.6 requires a minimum of 12 characters…" },
      { "role": "user", "content": "How does that compare to NIST 800-63B?" }
    ],
    "frameworks": ["pci_dss_v4", "nist_800_53_r5"]
  }'

Slash commands

If the last user message begins with /, it is interpreted as a structured workflow command rather than a free-form question. For example, /policy-coverage --frameworks pci_dss_v4 runs the coverage workflow and streams a per-control report. See Workflows for the full command reference, and list available commands with GET /v1/slash-commands.


Grounding behavior

  • Retrieval-first. The agent retrieves relevant control text and document passages before answering, and cites the framework and control IDs it used.
  • Automatic framework detection. If you omit frameworks, the orchestrator infers the relevant ones from your question.
  • Scoped to GRC. Questions outside governance, risk, and compliance are declined rather than answered from general knowledge.

Error Responses

Errors are returned (before the stream starts) in RFC 7807 format:

{
  "requestid": "req-abc123",
  "http_status": 400,
  "title": "Bad Request",
  "detail": "messages must not be empty; last message must have role \"user\""
}
Status Description
400 Bad Request — malformed body, empty messages, or last message not user
403 Forbidden — invalid or missing API key
500 Internal Server Error — contact support if persistent